I am working on a F5 LTM migration, where a pair of LTM running 14.1.x will be migrated to 2 VMs. All configs can be migrated via UCS loading, but there are LACP configured for their network interfaces.
KB K85674611 already outlined the issue for LACP and VM, and provided workaround of removing LACP before UCS generation. However, the pair of LTM is running as production, and customer is reluctant to change F5 network config, worrying service interruption.
Is there any other method to allow loading of F5 UCS with LACP configuration in VM appliances? Any ideas?
19-Sep-2022 06:01 - edited 19-Sep-2022 07:00
I won't recommend working with UCS if you're migrating platform, since UCS is intended for full platform recovery and import fails if hardware is different or if license changes.
SCF files are more suited for this purpose: https://support.f5.com/csp/article/K13408
Please consider two things:
1) SSL certificate repository is not normally contained in SCF file, use proper tar-file syntax if you need to export those as well
2) platform migration might still introcuce some challanges, for example interface naming might not match between baremetal hardware and the new VM's. If the objects names aren't exact matches, configuration import will still fail. This might also apply to LACP -- if this is the case, you might have better luck with importing manually the configuration.
I'm sometimes tasked to perform acceptance testing on some customer configuration, which often translates to me creating a VM environment from a baremetal unit backup. I'm pretty confident with bigip configuration files, and the quickest way for me to complete those configuration is just to just overwrite my VM configuration files with configurations that are extracted from a ucs/scf backup:
# first, I manually configure VM with appropiate network settings # next, I import the other unit configuration files on the VM with SCP, let's assume I'm using /shared/tmp/ folder # lastly, I use these commands to import every file until configuration is fully loaded bash cp /config/bigip.conf /config/bigip.conf.backup cp /shared/tmp/other-hardware-bigip.conf /confing/bigip.conf tmsh load sys config verify tmsh load sys config tmsh save sys config # for SSL, the keys in UCS file can be found under \var\tmp\filestore_temp\files_d\Common_d\certificate_key_d\ # I use SCP to copy them all in /config/filestore/files_d/Common_d/certificate_key_d/ # same thing for certificates which are in same path ..\certificate_d #then, I use tmsh command to import all crt/keys. It does not accept wildcards but it's easy to script # https://support.f5.com/csp/article/K14031 for reference tmsh install /sys crypto key <SSL-key-name> from-local-file <path-to-key-file> tmsh install /sys crypto cert <SSL-certificate-name> from-local-file <path-to-certificate-file> #remember that SSL files aer referenced in the bigip.conf file, so if you need them you should import them before overwriting the bigip.conf file.
There are some features in the UCS archive tool that allow you to switch platforms without too much hassle. I have had some decent success in the past in using the "platform-migrate" feature.
K82540512: Overview of the UCS archive 'platform-migrate' option
As mentioned in the article, it helps to fix some of the items in the configuration that would normally cause a configuration load to fail.
Hope this helps,